[GH-ISSUE #216] whitelist globbing

gitea-mirror commented

2026-05-05 05:10:19 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (Jan 10, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/216

I was trying to rewrite/streamline my Firejail profile for LibreOffice. One rule which I tried was

whitelist ~/*.odt

but that doesn't work. It does work, though, in the form

whitelist ~/Example.odt

So it seems that placeholders are not supported. This would be a very useful enhancement in Firejail, indeed!

Originally created by @curiosity-seeker on GitHub (Jan 10, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/216 I was trying to rewrite/streamline my Firejail profile for LibreOffice. One rule which I tried was whitelist ~/*.odt but that doesn't work. It does work, though, in the form whitelist ~/Example.odt So it seems that placeholders are not supported. This would be a very useful enhancement in Firejail, indeed!

gitea-mirror

2026-05-05 05:10:19 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:10:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 10, 2016):

I'll implement it, thanks for the idea!

@netblue30 commented on GitHub (Jan 10, 2016): I'll implement it, thanks for the idea!

gitea-mirror commented

2026-05-05 05:10:27 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Jan 10, 2016):

Great - thank you very much in advance!

BTW, it would be nice if one could add several file suffixes in one line if possible. Something like

whitelist ~/*.odt, *.doc, *.docx

or

whitelist ~/*.odt | *.doc | *.docx

just to keep the profile more readable.

@curiosity-seeker commented on GitHub (Jan 10, 2016): Great - thank you very much in advance! BTW, it would be nice if one could add several file suffixes in one line if possible. Something like whitelist ~/*.odt, *.doc, *.docx or whitelist ~/*.odt | *.doc | *.docx just to keep the profile more readable.

gitea-mirror commented

2026-05-05 05:10:29 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 10, 2016):

I'll try that one also.

@netblue30 commented on GitHub (Jan 10, 2016): I'll try that one also.

gitea-mirror commented

2026-05-05 05:10:31 -06:00

Author

Owner

@ghost commented on GitHub (Jan 31, 2016):

Maybe in Bash syntax:
whitelist ~/*.{odt,doc,docx}

@ghost commented on GitHub (Jan 31, 2016): Maybe in Bash syntax: whitelist ~/*.{odt,doc,docx}

gitea-mirror commented

2026-05-05 05:10:34 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 6, 2016):

several similar requests to follow:

@netblue30 commented on GitHub (Mar 6, 2016): several similar requests to follow:

gitea-mirror commented

2026-05-05 05:10:35 -06:00

Author

Owner

@netblue30 commented on GitHub (May 2, 2016):

Also allow {}

@netblue30 commented on GitHub (May 2, 2016): Also allow [](){}

gitea-mirror commented

2026-05-05 05:10:37 -06:00

Author

Owner

@vn971 commented on GitHub (May 13, 2016):

And []

@vn971 commented on GitHub (May 13, 2016): And `[]`

gitea-mirror commented

2026-05-05 05:10:40 -06:00

Author

Owner

@msva commented on GitHub (Mar 5, 2017):

Any updates on this?

@msva commented on GitHub (Mar 5, 2017): Any updates on this?

gitea-mirror commented

2026-05-05 05:10:42 -06:00

Author

Owner

@june128 commented on GitHub (Oct 15, 2019):

I'm currently working on enhancing the Thunderbird profile, so that Thunderbird can set itself as the default mail-program (and other things).
Thunderbird needs to modify the ~/.config/mimeapps.list-file for that. It does that by first creating a file named ~/.config/mimeapps.list.randomBit (where randomBit are 6 random characters [a-zA-Z0-9]) and then renaming this temporary file to ~/.config/mimeapps.list to make the change.

For that enhancement to be done, whitelist globbing would be needed (I think).

@june128 commented on GitHub (Oct 15, 2019): I'm currently working on enhancing the Thunderbird profile, so that Thunderbird can set itself as the default mail-program (and other things). Thunderbird needs to modify the `~/.config/mimeapps.list`-file for that. It does that by first creating a file named `~/.config/mimeapps.list.randomBit` (where `randomBit` are 6 random characters `[a-zA-Z0-9]`) and then renaming this temporary file to `~/.config/mimeapps.list` to make the change. For that enhancement to be done, whitelist globbing would be needed (I think).

gitea-mirror commented

2026-05-05 05:10:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 16, 2019):

@julianschacher #2874

EDIT:

whitelist globbing would be needed (I think)

To whitelist a file/dir it must be exists in the "normal" fs, thats why mkdir/mkfile is in the profiles.

@rusty-snake commented on GitHub (Oct 16, 2019): @julianschacher #2874 EDIT: > whitelist globbing would be needed (I think) To `whitelist` a file/dir it must be exists in the "normal" fs, thats why `mkdir`/`mkfile` is in the profiles.

gitea-mirror commented

2026-05-05 05:10:47 -06:00

Author

Owner

@june128 commented on GitHub (Oct 17, 2019):

@julianschacher #2874

@rusty-snake Thanks for the link! That's really an unfortunate issue.

@june128 commented on GitHub (Oct 17, 2019): > @julianschacher #2874 @rusty-snake Thanks for the link! That's really an unfortunate issue.

gitea-mirror commented

2026-05-05 05:10:48 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 1, 2020):

601df2f

@rusty-snake commented on GitHub (Apr 1, 2020): 601df2f

gitea-mirror commented

2026-05-05 05:10:50 -06:00

Author

Owner

@danielkrajnik commented on GitHub (Dec 18, 2021):

thanks, is it possible to use it resursively, that is all *.mp4 files in a directory and its subdirectories?

@danielkrajnik commented on GitHub (Dec 18, 2021): thanks, is it possible to use it resursively, that is all *.mp4 files in a directory and its subdirectories?

gitea-mirror commented

2026-05-05 05:10:51 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 19, 2021):

man 7 glob:

Globbing is applied on each of the components of a pathname separately. A '/' in a pathname cannot be matched by a '?' or '*' wildcard

@rusty-snake commented on GitHub (Dec 19, 2021): `man 7 glob`: > Globbing is applied on each of the components of a pathname separately. A '/' in a pathname cannot be matched by a '?' or '*' wildcard

gitea-mirror commented

2026-05-05 05:10:53 -06:00

Author

Owner

@danielkrajnik commented on GitHub (Dec 19, 2021):

I see, so glibc doesn't provide a way to do it? Is there no other way to whitelist all files of specific format (e.g. *.mp4) in all subdirectories?

@danielkrajnik commented on GitHub (Dec 19, 2021): I see, so glibc doesn't provide a way to do it? Is there no other way to whitelist all files of specific format (e.g. *.mp4) in all subdirectories?

gitea-mirror commented

2026-05-05 05:10:54 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 19, 2021):

If the (sub)directory structure isn't to deep, you can

whitelist ${HOME}/Downloads/*.mp4
whitelist ${HOME}/Downloads/*/*.mp4
whitelist ${HOME}/Downloads/*/*/*.mp4

@rusty-snake commented on GitHub (Dec 19, 2021): If the (sub)directory structure isn't to deep, you can ``` whitelist ${HOME}/Downloads/*.mp4 whitelist ${HOME}/Downloads/*/*.mp4 whitelist ${HOME}/Downloads/*/*/*.mp4 ```

gitea-mirror commented

2026-05-05 05:10:56 -06:00

Author

Owner

@danielkrajnik commented on GitHub (Dec 19, 2021):

Thanks, it is quite deep unfortunately (network mount). Ideally there would be a way to whitelist only certain files in such large directories rather than all of it.

@danielkrajnik commented on GitHub (Dec 19, 2021): Thanks, it is quite deep unfortunately (network mount). Ideally there would be a way to whitelist only certain files in such large directories rather than all of it.

gitea-mirror commented

2026-05-05 05:10:57 -06:00

Author

Owner

@ghost commented on GitHub (Dec 19, 2021):

@danielkrajnik Maybe you could write a shell script from where you pre-select the (*.mp4) files you want to whitelist and bind mount them in a specific location. That way you can blacklist your network mount and only whitelist the new mount path. Have you tried that yet?

@ghost commented on GitHub (Dec 19, 2021): @danielkrajnik Maybe you could write a shell script from where you pre-select the (*.mp4) files you want to whitelist and bind mount them in a specific location. That way you can blacklist your network mount and only whitelist the new mount path. Have you tried that yet?

gitea-mirror commented

2026-05-05 05:10:59 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 19, 2021):

You can use find+xargs:

find ~/Videos -type f -name "*.mp4" -printf "--whitelist=%p\0" | xargs -0 -x -s 65536 /bin/sh -c 'firejail "$@" /usr/bin/totem'

I'm not sure if you can perform injections with this command (spaces in filenames work), but if this is an untrusted network mount, you should check this.

@rusty-snake commented on GitHub (Dec 19, 2021): You can use find+xargs: ```bash find ~/Videos -type f -name "*.mp4" -printf "--whitelist=%p\0" | xargs -0 -x -s 65536 /bin/sh -c 'firejail "$@" /usr/bin/totem' ``` _I'm not sure if you can perform injections with this command (spaces in filenames work), but if this is an untrusted network mount, you should check this._

gitea-mirror referenced this issue

2026-05-05 10:03:27 -06:00

[PR #150] [MERGED] keep original file permissions #3550

Rows
Columns

[GH-ISSUE #216] whitelist globbing #149